Getting x509: certificate has expired or is not yet valid in custom cluster

Hi, I’m getting the following error in the rancher master
6 controllermanager.go:184] error building controller context: failed to wait for apiserver being healthy: timed out waiting for the condition: failed to get apiserver /healthz status: Get https://localhost:6443/healthz?timeout=32s: x509: certificate has expired or is not yet valid

I cannot rotate the certificates since the master is down and it restarts constantly. This cluster is not managed by rke, the nodes were added manually.

What to do in this case? The workers nodes are still up but I cannot get the rancher server up.


I have the same problem: I would have to rotate the certificates but rancher won’t start since the certificates are expired. How can I rotate the certificates manually?

ok, after an upgrade to Rancher 2.4.3, Rancher started successfully. Apparently, the certificates of the kube-apiservers were valid, as I found out using openssl s_client.

I restored snapshots for the rancher master and etcd VMs, then I followed the workaround 2 from here: and it worked.